Java: SSO made easy by SAML 2.0 with ADFS
Recently I wrote blog about Fiori Launchpad: SSO made easy by SAML 2.0 with ADFS On same blog there was questions regarding JAVA SSO with SAML 2.0. I have seen so many documents regarding configuration of JAVA SAML but none of them I have found as recent with updated version of SAP NetWeaver.
I suddenly decided to write something on it and give an Idea to community that how can they achieve this. Keep in mind that SAML in ABAP and JAVA is almost same configuration and I am going to give an overview of it how to do it in Java system. For some of the steps I am going to refer you to look in my Fiori Launchpad: SSO made easy by SAML 2.0 with ADFS document. Hope this will help everyone to configure SAML for JAVA
Matt Fraser also discussed on this Fiori Launchpad: SSO made easy by SAML 2.0 with ADFS about SPNego on JAVA and this can be found at : Single Sign-On for Java with SPNego
Where to start?
Open Netweaver Administration screen on your java system http/s://host:port/nwa and navigate to Configuration >> Security >> Authentication and Single Sign-On >> SAML 2.0
Enable SAML 2.0 Support
Local Provider configuration
Provider name is your FQHN of system
On this screen click Browse button on Signing Key Pair
Press Create button
Create Key storage by continuing on screen
Continue on next screen
Click on Finish
Trusted providers Configuration
Change your tab within SAML 2.0 screen to Trusted Providers and select Add >> Specify Metadata URL
URL : https://fqdn of ADFS/FederationMetadata/2007-06/FederationMetadata.xml
Note: In ABAP system you need to provide XML file but in JAVA you can select URL of XML file
On this screen deselect Verify option and continue
Provide signed certificate
Note: How to create certificate look in to Fiori Launchpad:SSO made easy by SAML 2.0 with ADFS Section : Trusted Provider (Note getting certificate)
Provide Name and continue
Now continue on all steps with default settings till end of the wizard.
Now go to trusted provider Identity Federation tab and add Name ID Format (In my case username)
Now make sure you enable configuration and after download Local Provider Metadata.
Note: If your XML file get blank, restart both Local Provider and Trusted Provider.
Add Relying Party Trust
In order to configure this follow steps under Configure ADFS section on Fiori Launchpad: SSO made easy by SAML 2.0 with ADFS
Now test your configuration If your configuration not work please check below settings on Components >> ticket
SAML2LoginModule is at the top of the list.
Thank you for reading
First off, thanks for the well documented steps for both JAVA and Fiori Launchpad SAML2 configuration with ADFS.
I have a scenario to configure SSO for Fiori and EP where the AD user IDs are completely different from the SAP user ids. Also the AD users are from three different domains.
And after going through various documents and your blog, what I understood is that the basic configuration remains same, but the claim configuration at ADFS side and SAP side will need to be configured accordingly. Could you please confirm if my understanding is correct and also what attributes I can use to attain SSO for EP and Fiori.
Thanks for the doc. Helped me solve the issue.
Thanks for this post, but how can it be configurated SAML2 in case to have a server with 2 SAP systems (one ABAP and another JAVA), (typical case for BI)?
Once we have configured SAML of the ABAP part, we get an error in the configuration of the JAVA part, specifically in the ADFS:
"Error AD / FS Management: An error occurred when trying to access the configuration database of AD FS: Error message MSIS7612: Each identifier for a trusted trust must be unique in all trusts trusted by the AD FS configuration "
In our case, both URLs (ABAP and JAVA) are using the same hostname. We tried to change the field "Name of the provider" in the SAML configuration of the JAVA system and download the metadata again. In this way, ADFS accepted the metadata file, but the SSO does not work.
Any suggestions for this case? Thanks and regards
Try to configure Solution manager 7.2 JAVA host. For the step General Settings -> Signing Key Pair to create a Key Store (if I'm right), but local host cert has been configured such that no need a new cert for ADFS. Company security policy does not allow internal SAP systems by using untrusted cert (self generate). Any comment?